We have been informed that having the unmanaged switch in the position it is poses a security risk and that a good option would be to get our Watchguard Firewall to perform the split, by separating our office onto a trusted interface, and by "passing through" the external line to their managed router. It is alleged that the Watchguard is capable of doing this and also rate limiting the interfaces, i.e. 20mbps for the trusted interface and 80mbps for the "pass-through", however Watchguard technical support don't seem to be able to understand what we're trying to achieve.

Can anyone provide any advice on whether this is possible on a Watchguard device and how or perhaps if there's a better way of achieving this, perhaps with a managed switch instead of unmanaged?

Edit: I have attached a diagram of what I'm trying to explain. So, fig.1 is what we have now and we've been informed that the orange dashed area is a security loophole. We want to separate the connections rather than just using a dumb switch, so fig.2 is something like what we want to achieve. However, the red line goes to another router controlled by a third party. We want to do as little as possible, ideally nothing to that side of the network as they handle all their routing and policies on their equipment, we're just trying to separate it before that. Of course if people think this is unnecesssary or there's a better way of achieving this then please do say!

I'm not understanding exactly what you're trying to do, but you can "host" a different network on each Firebox interface. Put one network on the Trusted interface and the other on the Optional interface. The "main" feed from upstream will connect to the External interface. Then configure your rules and NAT as required.
–
joeqwertyOct 23 '13 at 18:49

joeqwerty, The problem we have is that we don't really want to interfere with the optional interface, in this case. Our network is split in 2. 1 is managed by us via our Watchguard and 1 is managed by another party, however at present the line is "split" by a dumb unmanaged switch which is a security problem.
–
fRAiLtY-Oct 24 '13 at 6:42

I don't understand. Your Fig. 2 is exactly what I'm talking about. The "main" feed comes into the External interface and you use the Trusted interface for your network and the Optional interface for the other network. How does that not work for you? What do you mean you don't want to "interfere" with the Optional interface? Also, how do you propose to split the incoming connection without using two interfaces on the Firebox? With my suggestion, the Optional interface is acting as a "passthrough" to the other network, which is what you've stated you want to do.
–
joeqwertyOct 24 '13 at 15:22

joeqwerty, The problem we've got is that Watchguard tech support inform us that it's not possible to just allow the red line in this case to "passthrough" untouched, we'd have to apply some NAT rules or policies to it. Because it goes to a third party we'll likely be blamed an ultimately end up "managing" it to a degree which we don't want to do. We just want to split our connection off to the trusted and pass through the rest.
–
fRAiLtY-Oct 24 '13 at 16:01

You can create an "Any" rule on the Firebox to allow all traffic to the other network to flow through the Firebox unencumbered. In addition (and I mean no offense by this) but you are re-selling a portion of the internet connection to the other company. That presumes some responsibility on your part. If that means managing it for the other company then so be it. If you don't want the responsibility of doing that then maybe you shouldn't be re-selling it to them.
–
joeqwertyOct 24 '13 at 16:18

2 Answers
2

Whoever told you that the current design poses a security risk is wrong. As long as you control the switch in front of the firewall and make sure that nobody is able to set up port mirroring or similar on it I can't really see a better way of doing this with your current hardware. They are after all not behind your firewall, which would pose a greater security risk than what you're doing now.

If doing rate limiting is something you really want then I would buy another firewall (or router) to put between the ISP CE (Juniper) and your firewall, and separate the companies that way.

+1 - there really is no reason to turn the company network into an ISP for third parties unless you really want to and know about the implications thereof. I also would try asking the ISP if the bandwidth limiting setup cannot be performed within the CPE (the Juniper router) - this would spare the additional hardware.
–
the-wabbitOct 24 '13 at 8:43

pauska, The switch in front of the firewall, the Netgear, is just a dumb unmanaged switch. Would you suggest a better managed switch here as at the moment it kind of "is what it is", which I think is what the consultant was referring to when he mentioned a security risk.
–
fRAiLtY-Oct 24 '13 at 9:38

syneticon-dj, We have already asked this of our ISP who have refused, without reason.
–
fRAiLtY-Oct 24 '13 at 9:39

@fRAiLtY- there is no need for a managed switch unless you need the features that a managed switch can give you. I would probably get a managed one, so that I can set certain locking mechanisms in place (like setting port-security so that the other company only can use 1 mac address at a time etc). I'd ask more about that specific question at network engineering.stackexchange.com
–
pauskaOct 24 '13 at 12:22